Bootstrap FreeKB - Amazon Web Services (AWS) - Get Secret from AWS Secrets Manager using Python boto3
Amazon Web Services (AWS) - Get Secret from AWS Secrets Manager using Python boto3
Updated:   |  Amazon Web Services (AWS) articles

This assumes you are familar with the basic configurations needed to connect to Amazon Web Services (AWS) using Python boto3. If not, check out my article Python (Scripting) - Getting Started with Amazon Web Services (AWS) boto3.

Here is the minimal boilerplate code without any error handling to get a secret.

#!/usr/bin/python3
import boto3

client = boto3.client('secretsmanager')
secret_dict = client.get_secret_value(
    SecretId='postgres'
)

print(f"secret_dict= {secret_dict}")

 

Here is a more practical example, with try/except/else error handling.

#!/usr/bin/python3
import boto3
import sys

try:
  client = boto3.client('secretsmanager')
except Exception as exception:
  print(exception)
  sys.exit(1)

try:
  secret_dict = client.get_secret_value(
    SecretId='postgres'
  )
except Exception as exception:
  print(exception)
else:
  print(f"secret_dict= {secret_dict}")

 

Or, os.environ['AWS_PROFILE'] can be used to specify the profile in /home/john.doe/.aws/config and /home/john.doe/.aws/credentials to use.

import boto3
import os

os.environ['AWS_PROFILE'] = 'johndoe'

client = boto3.client('secretsmanager')

secret_dict = client.get_secret_value(
    SecretId='postgres'
)

print(f"secret_dict= {secret_dict}")

 

The "default" profile in your .aws/credentials file will be used. Session can be used to use some other profile.

#!/usr/bin/python3
import boto3

session = boto3.Session(profile_name='johndoe')
client = session.client('secretsmanager')

secret_dict = client.get_secret_value(
    SecretId='postgres'
)

print(f"secret_dict= {secret_dict}")

 

Or, os.environ['AWS_PROFILE'] can be used to specify the profile in /home/john.doe/.aws/config and /home/john.doe/.aws/credentials to use.

import boto3
import os

os.environ['AWS_PROFILE'] = 'johndoe'

client = boto3.client('secretsmanager')
secret_dict = client.get_secret_value(
    SecretId='postgres'
)

print(f"secret_dict= {secret_dict}")

 

Which should return something like this. Notice that SecretString contains the secret key/value pairs.

secret_dict = {
  'ARN': 'arn:aws:secretsmanager:us-east-1:123456789012:secret:postgres-tD1U2U',
  'Name': 'postgres',
  'VersionId': '0a8aa38f-b95e-42ab-acc9-7745aa710f23',
  'SecretString': '{
     "username":"john.doe",
     "password":"itsasecret"
  }', 
  'VersionStages': ['AWSCURRENT'],
  'CreatedDate': datetime.datetime(2023, 8, 23, 17, 23, 54, 737000, tzinfo=tzlocal()), 
  'ResponseMetadata': {
    'RequestId': '20f6bfec-58f0-4124-aa29-77ea72a5c5b0',
    'HTTPStatusCode': 200, 
    'HTTPHeaders': {
      'x-amzn-requestid': '20f6bfec-58f0-4124-aa29-77ea72a5c5b0',
      'content-type': 'application/x-amz-json-1.1',
      'content-length': '299',
      'date': 'Sat, 26 Aug 2023 00:13:32 GMT'},
      'RetryAttempts': 0
    }
}

 

Since SecretString contains the secret key/value pairs, we can do the following.

postgres_secret = json.loads(secret_dict['SecretString'])
    
print(f"postgres_secret = {postgres_secret}")
print(f"postgres username = {postgres_secret['username']}")
print(f"postgres username = {postgres_secret['password']}")

 

Which should return something like this.

postgres_secret = {"username":"john.doe","password":"itsasecret"}
postgres_username = john.doe
posgres_password = itsasecret

 

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 04bb63 in the box below so that we can be sure you are a human.